Thanks we are investigating. This was a SubCA that existed well before our acquisition of the Baltimore roots. We are contracting the customer and are requesting a full report.
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Jakob Bohm Sent: Tuesday, January 19, 2016 4:49 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: SHA1 certs issued this year chaining to included roots On 19/01/2016 02:49, Charles Reiss wrote: > Via censys.io, I found a couple SHA-1 certs with notBefore dates from > this year which chain to root CAs in Mozilla's program: > > - https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root > [DigiCert] via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G" > > Also, the OCSP responder for this certificate appears to not include a > nextUpdate field. > Does the OCSP spec say what "no nextUpdate" should default to? Like maybe "dontcache, expires instantly". > > - https://crt.sh/?id=12090324 -- chains to Security Communication > RootCA1 [SECOM] via subCA "YourNet SSL for business" > > Also, this certificate is also missing OCSP information and appears to > be being served without OCSP stapling support. > If there is no OCSP, it obviously cannot be stapled. In addition to the above, note that *code signing* and *document signing* certificates may be issued after the deadline for SSL SHA-1 certificates, because some important relying party software cannot be upgraded to support modern signature hash algorithms (most notably Microsoft platforms released before 2009). Such compatibility SHA-1 certificates typically have to chain to existing roots too (again because of relying party software limitations). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
